Tata Motors patches security flaws that leaked sensitive customer and company data
The exposed data included hundreds of thousands of customer invoices, which detailed personal information such as names, mailing addresses, and Permanent Account Numbers (PAN).
ADVERTISEMENT
Tata Motors has addressed a series of security vulnerabilities that left sensitive company and customer information exposed on the public internet, as per reports. The flaws were discovered in the automotive giant's digital infrastructure, including an e-commerce spare parts portal and a fleet-tracking service.
Security researcher Eaton Zveare identified the vulnerabilities within Tata Motors’ E-Dukaan unit, an online platform for commercial vehicle spare parts. The researcher reported finding private keys in the portal's web source code, which granted access to and modification rights within the company's Amazon Web Services (AWS) account.
The exposed data included hundreds of thousands of customer invoices, which detailed personal information such as names, mailing addresses, and Permanent Account Numbers (PAN). Additional data points, including MySQL database backups and Apache Parquet files, contained further private customer communications.
The compromised AWS keys also enabled access to over 70 terabytes of data linked to Tata Motors’ FleetEdge fleet-tracking software. Furthermore, the researcher confirmed finding backdoor admin access to a Tableau account, which stored internal financial reports, dealer scorecards, performance metrics, and various dashboards for over 8,000 users. API access to the company's fleet management platform, Azuga, was also exposed.
Zveare reported the issues to Tata Motors via the Indian computer emergency response team, CERT-In, in August 2023. Tata Motors confirmed to TechCrunch that the reported flaws were fully addressed in 2023. However, the company declined to state whether it had notified the affected customers about the data exposure.
Sudeep Bhalla, Tata Motors' communications head, affirmed the company's prompt action: "We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed." The company noted that its infrastructure is regularly audited and that it maintains comprehensive access logs to monitor for unauthorized activity.
